" /> net.wars: February 2011 Archives

« January 2011 | Main | March 2011 »

February 25, 2011

Wartime economy

Everyone loves a good headline, and £27 billion always makes a *great* one. In this case, that was the sum that a report written by the security consultancy firm Detica, now part of BAE Systems and issued by the Office of Cyber Security and Information Assurance (PDF) estimates that cybercrime is costing the UK economy annually. The claim was almost immediately questioned by ZDNet's Tom Espiner, who promptly checked it out with security experts. Who complained that the report was full of "fake precision" (LSE professor Peter Sommer), "questionable calculations" (Harvard's Tyler Moore), and "nonsense" (Cambridge's Richard Clayton).

First, some comparisons.

Twenty-seven billion pounds (approximately $40 billion) is slightly larger than a year's worth of the International Federation of the Phonographic Industry's estimate of the cumulative retail revenue lost to piracy by the European creative industries from 2008 to 2015 (PDF) (total €240 billion, about £203 million, eight years, £25.4 billion a year). It is roughly the estimated cost of the BP oil spill, the amount some think Facebook will be worth at an IPO, and noticeably less than Apple's $51 billion cash hoard. But: lots smaller than the "£40 billion underworld" The Times attributed to British gangs in 2008.

Several things baffle about this report. The first is that so little information is given about the study's methodology. Who did the researchers talk to? What assumptions did they make and what statistical probabilities did they assign in creating the numbers and charts? How are they defining categories like "online scams" or "IP theft" (they're clear about one thing: they're not including file-sharing in that figure)? What is the "causal model" they developed?

We know one person they didn't talk to: Computer Weekly notes the omission of Detective superintendent Charlie McMurdie, head of the Metropolitan Police's Central e-Crime Unit, who you'd' think would be one of the first ports of call for understanding the on-the-ground experience.

One issue the report seems to gloss over is how very difficult it is to define and categorize cybercrime. Last year, the Oxford Internet Institute conducted a one-day forum on the subject, out of which came the report Mapping and Measuring Cybercrime (PDF) , published in June 2010. Much of this report is given over to the difficulty of such definitions; Sommer, who participated in the forum, argued that we shouldn't worry about the means of commission - a crime is a crime. More recently - perhaps a month ago - Sommer teamed up with the OII's Ian Brown to publish a report for an OECD project on future global shocks, Reducing Systemic Cybersecurity Risk (PDF). The authors' conclusion: "very few single cyber-related events have the capacity to cause a global shock". This report also includes considerable discussion of cybercrime in assessing whether "cyberwarfare" is a genuine global threat. But the larger point about both these reports is that they disclose their methodology in detail.

And as a result, they make much more modest and measured claims, which is one reason that critics have looked at the source of the OCSIA/Detica report - BAE - and argued that the numbers are inflated and the focus largely limited to things that fit BAE's business interests (that is, IP theft and espionage; the usual demon, abuse of children, is left untouched).

The big risk here is that this report will be used in determining how policing resources are allocated.

"One of the most important things we can do is educate the public," says Sommer. "Not only about how to protect themselves but to ensure they don't leave their computers open to be formed into botnets. I am concerned that the effect of all these hugely military organizations lobbying for funding is that in the process things like Get Safe Online will suffer."

There's a broader point that begins with a personal nitpick. On page four, the report says this: "...the seeds of criminality planted by the first computer hackers 20 years ago." Leaving aside the even smaller nitpick that the *real*, original computer hackers, who built things and spent their enormous cleverness getting things to work, date to 40 and 50 years ago, it is utterly unfair to compare today's cybercrime to the (mostly) teenaged hackers of 1990, who spent their Saturday nights in their bedrooms war-dialling sites and trying out passwords. They were the computer equivalent of joy-riders, caused little harm, and were so disproportionately the targets of freaked-out, uncomprehending law enforcement that the the Electronic Frontier Foundation was founded to spread some sanity on the situation. Today's cybercrime underground is composed of professional criminals who operate in an organized and methodical way. There is no more valid comparison between the two than there is between Duke Nukem and al-Qaeda.

One is not a gateway to the other - but the idea that criminals would learn computer techniques and organized crime would become active online was repeatedly used as justification for anti-society legislation from cryptographic key escrow to data retention and other surveillance. The biggest risk of a report like this is that it will be used as justification for those wrong-headed policies rather than as it might more rightfully be, as evidence of the failure of no less than five British governments to plan ahead on our behalf.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

February 18, 2011

What is hyperbole?

This seems to have been a week for over-excitement. IBM gets an onslaught of wonderful publicity because it built a very large computer that won at the archetypal American TV game, Jeopardy. And Eben Moglen proposes the Freedom box, a more-or-less pocket ("wall wart") computer you can plug in and that will come up, configure itself, and be your Web server/blog host/social network/whatever and will put you and your data beyond the reach of, well, everyone. "You get no spying for free!" he said in his talk outlining the idea for the New York Internet Society.

Now I don't mean to suggest that these are not both exciting ideas and that making them work is/would be an impressive and fine achievement. But seriously? Is "Jeopardy champion" what you thought artificial intelligence would look like? Is a small "wall wart" box what you thought freedom would look like?

To begin with Watson and its artificial buzzer thumb. The reactions display everything that makes us human. The New York Times seems to think AI is solved, although its editors focus, on our ability to anthropomorphize an electronic screen with a smooth, synthesized voice and a swirling logo. (Like HAL, R2D2, and Eliza Doolittle, its status is defined by the reactions of the surrounding humans.)

The Atlantic and Forbes come across as defensive. The LA Times asks: how scared should we be? The San Francisco Chronicle congratulates IBM for suddenly becoming a cool place for the kids to work.

If, that is, they're not busy hacking up Freedom boxes. You could, if you wanted, see the past twenty years of net.wars as a recurring struggle between centralization and distribution. The Long Tail finds value in selling obscure products to meet the eccentric needs of previously ignored niche markets; eBay's value is in aggregating all those buyers and sellers so they can find each other. The Web's usefulness depends on the diversity of its sources and content; search engines aggregate it and us so we can be matched to the stuff we actually want. Web boards distributed us according to niche topics; social networks aggregated us. And so on. As Moglen correctly says, we pay for those aggregators - and for the convenience of closed, mobile gadgets - by allowing them to spy on us.

An early, largely forgotten net.skirmish came around 1991 over the asymmetric broadband design that today is everywhere: a paved highway going to people's homes and a dirt track coming back out. The objection that this design assumed that consumers would not also be creators and producers was largely overcome by the advent of Web hosting farms. But imagine instead that symmetric connections were the norm and everyone hosted their sites and email on their own machines with complete control over who saw what.

This is Moglen's proposal: to recreate the Internet as a decentralized peer-to-peer system. And I thought immediately how much it sounded like...Usenet.

For those who missed the 1990s: invented and implemented in 1979 by three students, Tom Truscott, Jim Ellis, and Steve Bellovin, the whole point of Usenet was that it was a low-cost, decentralized way of distributing news. Once the Internet was established, it became the medium of transmission, but in the beginning computers phoned each other and transferred news files. In the early 1990s, it was the biggest game in town: it was where the Linus Torvalds and Tim Berners-Lee announced their inventions of Linux and the World Wide Web.

It always seemed to me that if "they" - whoever they were going to be - seized control of the Internet we could always start over by rebuilding Usenet as a town square. And this is to some extent what Moglen is proposing: to rebuild the Net as a decentralized network of equal peers. Not really Usenet; instead a decentralized Web like the one we gave up when we all (or almost all) put our Web sites on hosting farms whose owners could be DMCA'd into taking our sites down or subpoena'd into turning over their logs. Freedom boxes are Moglen's response to "free spying with everything".

I don't think there's much doubt that the box he has in mind can be built. The Pogoplug, which offers a personal cloud and a sort of hardware social network, is most of the way there already. And Moglen's argument has merit: that if you control your Web server and the nexus of your social network law enforcement can't just make a secret phone call, they'll need a search warrant to search your home if they want to inspect your data. (On the other hand, seizing your data is as simple as impounding or smashing your wall wart.)

I can see Freedom boxes being a good solution for some situations, but like many things before it they won't scale well to the mass market because they will (like Usenet) attract abuse. In cleaning out old papers this week, I found a 1994 copy of Esther Dyson's Release 1.0 in which she demands a return to the "paradise" of the "accountable Net"; 'twill be ever thus. The problem Watson is up against is similar: it will function well, even engagingly, within the domain it was designed for. Getting it to scale will be a whole 'nother, much more complex problem.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


February 11, 2011

Question, explore, discover...action!

Here's a thing I bet you don't know: when 350 people simultaneously dump a small vialful of small sugar pills (also known as 31C homeopathic belladonna) into their mouths and bite down it makes a helluva CRUNCH.

In this case, the noise was heard around the world, even in Antarctica. (How cool is that?)

It was a great stunt, but made a real point: homeopathic "remedies" rely on the notion that you can dilute a substance until there is nothing left of it and the stuff you dilute it with - sugar, water - will somehow "remember" the contact and relay the substance's effect. Which means that by the lights of anything we know about chemistry they have no effect beyond that of a placebo. Why, especially in this time of economic crisis, are we funding it on the National Health Service? Because, the (last) government said (PDF), efficacy is only one of many criteria, and...people like it. Equality of access to sugar pills, dontcha know.

The CRUNCH was at 10:23 on Sunday morning, the time (and the campaign name) chosen from Avogadro's number, the point of dilution past which no molecule of the original substance remains in the solution. The bottle says belladonna; the reality is sugar pills.

Why are people so willing to believe? A lot of the patterns of what Bruce Hood called "supernatural thinking" are visible in the very young children whose development he studies.

"Children are not blank slates," he said, echoing my first thought when I heard Richard Dawkins talk about children's indoctrination with religion. "Children believe things they think are plausible. That's the case for all of us." This is the downside of being human: "They already have misconceptions by the time they're 12 months old." Even a very young human brain is optimized for seeing patterns, particularly patterns that look like faces. By the time children are three or four, they're thinking about ghosts and spirits. By the time they're four or five, they already have the notion of mind/body dualism and essential energies.

The upshot, he said, is that as adults try to organize the world in their minds, even extremely rational people will find that under the right circumstances the misconceptions they had as very young children will emerge. "We don't throw bad ideas away." Stress, illness, and aging all can compromise reason.

One of Hood's examples involved a test in which people were asked to stab pictures of loved ones in the eyes. They know they're pictures; they know it won't hurt them...and yet they resist doing it. Even the most experienced, hardened skeptic can react like this: I suggested to James Randi once that he should mount a mass voodoo demonstration by asking skeptics around the world who had Randi dolls to take the three voodoo pins and simultaneously stab them in the heart. He got a very uncomfortable look on his face.

So: granted that supernatural (or magical) thinking is endemic, what do you do?

Well, for one thing, said Eugenie Scott, a former university professor and executive director of the National Center for Science Education, you bear in mind that, "What matters is what people hear, not what you say." Ultimately, she added, "You are trying to persuade people, so you have to think how to communicate."

It's true: you're not going to get very far making people feel that you think they're stupid. What skeptics can do, suggested Hayley Stevens as part of the ghost-hunting panel, is to suggest alternative explanations. There is no question that people have powerful experiences they can't explain; skepticism is not about denying the subjective reality of those experiences but about trying to understand what might have caused them.

For Stevens, the more helpful approach is to help people think about the experience rationally. Rather than just saying a particular report must be sleep paralysis, she suggested, explain what it is, explore how it might be affecting the person, and offer them different resources for understanding it. "Never say this is the answer; say this is what we think it could be," she said. Often, keeping a "ghost diary" can provide valuable clues or help a person work out a likely cause for themselves.

Although: that might move people on from thinking magically, but it doesn't necessarily draw them to science or that stuff many people seem to find scarier than ghosts, mathematics. For that, you want Colin Wright, who juggles, then explores how juggling works (and how to write it down) by using mathematics, and then uses mathematics to predict where there might be tricks jugglers are missing. The result goes something like this. With a lot more fun.

But going back to the big CRUNCH. As Steven Novella, who spoke about neurology, wrote afterwards, it was a stunt, not a scientific experiment. Even so, it made a serious point: you can down a randomly purchased bunch of these things without harm because they have no effect whatsoever. As the late journalist John Diamond wrote, there's no such thing as alternative medicine; there is just medicine that works and medicine that doesn't. CRUNCH.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

February 4, 2011

Blackout

They didn't even have to buy ten backhoes.

The most fundamental mythology of the Net goes like this. The Internet was built to withstand bomb outages. Therefore, it can withstand anything. Defy authority. Whee!

This basic line of thinking underlay a lot of early Net hyperbole, most notably Grateful Dead lyricist John Perry Barlow's Declaration of the Independence of Cyberspace. Barlow's declaration was widely derided even at the time; my favorite rebuttal was John Gilmore's riposte at Computers, Freedom, and Privacy 1995, that cyberspace was just a telephone network with pretensions. (Yes, the same John Gilmore who much more famously said, "The Internet perceives censorship as damage, and routes around it.")

Like all the best myths, the idea of the Net's full-bore robustness was both true and not true. It was true in the sense that the first iteration of the Net - ARPAnet - was engineered to share information and enable communications even after a bomb outage. But it was not true in the sense that there have always been gods who could shut down their particular bit of communications heaven. There are, in networking and engineering terms, central points of failure. It is also not true in the sense that a bomb is a single threat model, and the engineering decisions you make to cope with other threat models - such as, say, a government - might be different.

The key to withstanding a bomb outage - or in fact any other kind of outage - is redundancy. There are no service-level agreements for ADSL (at least in the UK), so if your business is utterly dependent on having a continuous Internet connection you have two broadband suppliers and a failover set-up for your router. You have a landline phone and a mobile phone, an email connection and private messaging on a social network, you have a back-up router, and a spare laptop. The Internet's particular form of redundancy comes from the way data is transmitted: the packets that make up every message do not have to follow any particular route when the sender types in a destination address. They just have to get there, just as last year passengers stranded by the Icelandic volcano looked for all sorts of creative alternative routes when their original direct flights were canceled.

Even in 1995, when Barlow and Gilmore were having that argument, the Internet had some clear central points of failure - most notably the domain name system, which relies on updates that ultimately come from a single source. At the physical level, it wouldn't take cutting too many cables - those ten backhoes again - to severely damage data flows.

But back then all of today's big, corporate Net owners were tiny, and the average consumer had many more choices of Internet service provider than today. In many parts of the US consumers are lucky to have two choices; the UK's rather different regulatory regime has created an ecology of small xDSL suppliers - but behind the scenes a great deal of their supply comes from BT. A small number of national ISPs - eight? - seems to be the main reason the Egyptian government was able to shut down access. Former BT Research head Peter Cochrane writes that Egyptians-in-the-street managed to find creative ways to get information out. But if the goal was to block people's ability to use social networks to organize protests, the Egyptian government may indeed have bought itself some time. Though I liked late-night comedian Conan O'Brien's take: "If you want people to stay at home and do nothing, turn the Internet back on."

While everyone is publicly calling foul on Egypt's actions, can there be any doubt that there are plenty of other governments who will be eying the situation with a certain envy? Ironically, the US government is the only one known to be proposing a kill switch. We have to hope that the $110 million the five-day outage is thought to have cost Egypt will give them pause.

In his recent book The Master Switch, Columbia professor Tim Wu uses the examples set by the history of radio, television, and the telephone network to argue that all media started their lives as open experiments but have gone on to become closed and controlled as they mature. The Internet, he says there, and again this week in the press, is likely on the verge of closing.

What would the closed Internet look like? Well, it might look something like Apple's ecology: getting an app into the app store requires central approval, for example. Or it might look something like the walled gardens to which many mobile network operators limit their customers' access. Or perhaps something like Facebook, which seeks to mediate its users' entire online experience: one reason so many people use it for messaging is that it's free of spam. In the history of the Internet, open access has beaten out such approaches every time. CompuServe and AOL's central planning lost to the Web; general purpose computers ruled.

I don't think it's clear which way the Internet will wind up, and it's much less clear whether it will follow the same path in all countries or whether dissidents might begin rebuilding the open Net by cracking out the old modems and NNTP servers. But if closure does happen, this week may have been the proof of concept.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Blackout

They didn't even have to buy ten backhoes.

The most fundamental mythology of the Net goes like this. The Internet was built to withstand bomb outages. Therefore, it can withstand anything. Defy authority. Whee!

This basic line of thinking underlay a lot of early Net hyperbole, most notably Grateful Dead lyricist John Perry Barlow's Declaration of the Independence of Cyberspace. Barlow's declaration was widely derided even at the time; my favorite rebuttal was John Gilmore's riposte at Computers, Freedom, and Privacy 1995, that cyberspace was just a telephone network with pretensions. (Yes, the same John Gilmore who much more famously said, "The Internet perceives censorship as damage, and routes around it.")

Like all the best myths, the idea of the Net's full-bore robustness was both true and not true. It was true in the sense that the first iteration of the Net - ARPAnet - was engineered to share information and enable communications even after a bomb outage. But it was not true in the sense that there have always been gods who could shut down their particular bit of communications heaven. There are, in networking and engineering terms, central points of failure. It is also not true in the sense that a bomb is a single threat model, and the engineering decisions you make to cope with other threat models - such as, say, a government - might be different.

The key to withstanding a bomb outage - or in fact any other kind of outage - is redundancy. There are no service-level agreements for ADSL (at least in the UK), so if your business is utterly dependent on having a continuous Internet connection you have two broadband suppliers and a failover set-up for your router. You have a landline phone and a mobile phone, an email connection and private messaging on a social network, you have a back-up router, and a spare laptop. The Internet's particular form of redundancy comes from the way data is transmitted: the packets that make up every message do not have to follow any particular route when the sender types in a destination address. They just have to get there, just as last year passengers stranded by the Icelandic volcano looked for all sorts of creative alternative routes when their original direct flights were canceled.

Even in 1995, when Barlow and Gilmore were having that argument, the Internet had some clear central points of failure - most notably the domain name system, which relies on updates that ultimately come from a single source. At the physical level, it wouldn't take cutting too many cables - those ten backhoes again - to severely damage data flows.

But back then all of today's big, corporate Net owners were tiny, and the average consumer had many more choices of Internet service provider than today. In many parts of the US consumers are lucky to have two choices; the UK's rather different regulatory regime has created an ecology of small xDSL suppliers - but behind the scenes a great deal of their supply comes from BT. A small number of national ISPs - eight? - seems to be the main reason the Egyptian government was able to shut down access. Former BT Research head Peter Cochrane writes that Egyptians-in-the-street managed to find creative ways to get information out. But if the goal was to block people's ability to use social networks to organize protests, the Egyptian government may indeed have bought itself some time. Though I liked late-night comedian Conan O'Brien's take: "If you want people to stay at home and do nothing, turn the Internet back on."

While everyone is publicly calling foul on Egypt's actions, can there be any doubt that there are plenty of other governments who will be eying the situation with a certain envy? Ironically, the US government is the only one known to be proposing a kill switch. We have to hope that the $110 million the five-day outage is thought to have cost Egypt will give them pause.

In his recent book The Master Switch, Columbia professor Tim Wu uses the examples set by the history of radio, television, and the telephone network to argue that all media started their lives as open experiments but have gone on to become closed and controlled as they mature. The Internet, he says there, and again this week in the press, is likely on the verge of closing.

What would the closed Internet look like? Well, it might look something like Apple's ecology: getting an app into the app store requires central approval, for example. Or it might look something like the walled gardens to which many mobile network operators limit their customers' access. Or perhaps something like Facebook, which seeks to mediate its users' entire online experience: one reason so many people use it for messaging is that it's free of spam. In the history of the Internet, open access has beaten out such approaches every time. CompuServe and AOL's central planning lost to the Web; general purpose computers ruled.

I don't think it's clear which way the Internet will wind up, and it's much less clear whether it will follow the same path in all countries or whether dissidents might begin rebuilding the open Net by cracking out the old modems and NNTP servers. But if closure does happen, this week may have been the proof of concept.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.